The requirements you've named — multi-domain and multi-forest AD support, on-premises deployment option (though cloud is on the horizon), and a vendor with a broad product range rather than a single-use tool — narrow the field significantly. Most modern mid-market platforms are designed for cloud-native environments and don't handle complex AD forest scenarios well. The platforms worth serious evaluation for your specific constraints are different from the platforms that dominate mid-market conversations.
The Multi-Forest Constraint: Why It Changes the Evaluation
Multi-forest and multi-domain Active Directory environments are a specific complexity level that most newer IGA platforms weren't designed to handle. When AD has multiple forests with trust relationships, the identity data model is significantly more complex — same user may have accounts in multiple domains, provisioning must understand which domain to write to, and lifecycle events need to handle the cross-forest implications of role changes and departures.
Platforms built for cloud-native or single-directory environments hit architectural limits in complex forest scenarios. This is why your evaluation should specifically test multi-forest provisioning and deprovisioning in a POC environment before shortlisting — demo environments rarely show this complexity.
SailPoint (IIQ for On-Premises, ISC for Cloud)
SailPoint IdentityIQ (IIQ) is the on-premises platform and remains the most mature enterprise IGA option for complex hybrid and on-premises environments. IIQ has been deployed in some of the most complex enterprise environments in the world — multi-forest AD, diverse legacy system estates, and complex compliance requirements. The depth is genuine.
For multi-forest AD specifically: SailPoint IIQ has extensive experience with complex AD topologies. The platform can handle multi-forest provisioning, trust relationship navigation, and the organizational unit structures that large enterprises build over years of AD growth and acquisition.
The tradeoffs practitioners report are consistent: implementation is complex and time-consuming, BeanShell-based custom logic requires specialized expertise to develop and maintain, and post-go-live platform administration demands ongoing resources. SailPoint's own strategic investment is shifting to ISC (the cloud version), which means IIQ's development roadmap is increasingly maintenance-focused rather than feature-forward.
SailPoint ISC (Identity Security Cloud) is the cloud platform where new features are going. If your environment will move toward cloud over time, evaluating ISC for that future state makes sense. ISC has a faster implementation model than IIQ, a more configuration-driven interface, and AI-assisted capabilities (role mining, access review recommendations) that IIQ doesn't have.
The limitation for your specific requirements: ISC's multi-forest AD handling is less mature than IIQ's. The cloud-hosted nature means on-premises directory integration goes through the AD connector/virtual appliance rather than direct deployment.
Saviynt
Saviynt competes in the same enterprise space as SailPoint — large organizations with complex compliance requirements, SOX SoD controls, and hybrid infrastructure. Practitioners working in SAP-heavy environments often cite Saviynt's SAP integration depth as a differentiator.
For multi-forest environments: Saviynt handles complex AD topologies, though the specific depth compared to SailPoint IIQ in the most complex forest scenarios is less consistently documented in practitioner communities. A specific POC test against your forest configuration is essential before shortlisting.
The consistent practitioner cautions around Saviynt: reliability reports that appear more frequently than for SailPoint, a sales process that has been cited as resistant to real-environment POCs, and pricing that has come in over stated budget after connectors are added. These patterns appear independently across multiple evaluations and are worth specific verification.
Ping Identity
Ping Identity (now merged with ForgeRock as Ping Group) is the platform you mentioned in the context of Walmart's deployment. Ping has historically been strongest in customer identity (CIAM) and federation scenarios — complex B2B and B2C identity architectures, multi-tenant federation, and high-scale authentication.
Ping's workforce IGA capability (through PingDirectory, PingAccess, and governance modules) is more mature in the federation and authentication layer than in the JML lifecycle automation and access certification areas where SailPoint and Saviynt lead. For very large organizations with complex federation requirements — multiple corporate directories, B2B partner identity federation, external identity bridging — Ping's strength is relevant. For core IGA use cases (access reviews, role-based provisioning, compliance evidence), the practitioner community generally positions SailPoint and Saviynt as deeper.
The Walmart context is specifically about scale and federation complexity — one of the largest AD environments in the world with extensive B2B and partner identity requirements. That use case aligns with Ping's strengths; the general IGA governance use case may be better served by others.
Microsoft Entra ID
Entra ID (formerly Azure AD) is the right path for organizations heavily invested in Microsoft 365 and Azure who want to consolidate identity management within the Microsoft ecosystem. For Microsoft-centric environments, the governance capabilities (Lifecycle Workflows, PIM, access reviews, Entitlement Management) cover the essential IGA requirements without adding a separate vendor.
For your multi-forest requirement: Entra ID Connect (and now Entra Cloud Sync) handles AD to Entra ID synchronization from multiple forests. Multi-forest sync to a single Entra ID tenant is a supported and well-documented configuration.
The limitations: governance capabilities outside the Microsoft perimeter are limited, advanced SoD enforcement is not native to Entra, and the audit reporting depth is less mature than dedicated IGA platforms. For organizations that are genuinely Microsoft-centric and whose governance requirements don't extend significantly beyond the Microsoft ecosystem, Entra ID Governance is a strong consolidation play. For organizations with diverse application stacks that include significant non-Microsoft systems, the perimeter limitation becomes a governance gap.
One Identity
One Identity (formerly Quest Software) appears in your list and is worth including. It covers PAM (Safeguard), IGA (Identity Manager), and Active Roles for AD administration — a broad product suite that specifically addresses AD management, including complex forest topologies.
One Identity's AD administration capability (Active Roles specifically) is mature and handles complex forest structures effectively. The IGA platform (Identity Manager) is an enterprise-grade product with on-premises deployment capability. The challenge: One Identity's ecosystem is less commonly encountered in practitioner communities than SailPoint or Saviynt, which means the implementation partner ecosystem, community documentation, and practitioner resources are smaller.
ForgeRock / Ping (Post-Merger)
ForgeRock (now Ping) has historically been strongest in CIAM scenarios — consumer identity at scale, complex federation, and programmable identity logic. The post-merger Ping Group offering combines ForgeRock's CIAM and directory strength with Ping's enterprise IAM capabilities. The integrated platform is still maturing after the merger.
The On-Premises vs. SaaS Trajectory
Your note that on-premises is current but cloud may be on the horizon is important for platform selection. Choosing a platform today that has both on-premises and cloud deployment options (or a clear migration path between them) avoids having to replace the platform again when cloud becomes viable.
SailPoint's IIQ-to-ISC migration path exists but is actively managed by SailPoint on their timeline. Organizations on IIQ should understand that this migration is coming regardless — building the IIQ implementation knowing the ISC migration is ahead changes the implementation approach.
Saviynt's cloud-native architecture means on-premises deployment (where available) is the less-invested path in their roadmap.
One Identity's Identity Manager has both on-premises and cloud deployment options, which may be an advantage if the on-premises requirement is firm for a longer horizon.
What to Test in Your Evaluation
Given your specific requirements, the evaluation tests that matter most:
Multi-forest provisioning and deprovisioning. Bring your actual forest topology to the POC. Test creating a user in the correct domain based on organizational attributes, test modifying group memberships across trusts, and test deprovisioning across all forests on a single termination event.
Governance scope for non-Microsoft applications. If your application stack extends beyond Microsoft, test the connectors for your most important non-Microsoft applications specifically — not from the catalog list but from a live demo provisioning against your test environment.
Role definition and role mining. For multi-forest environments with complex organizational structures, role definition is substantial work. Test whether the platform's role mining surfaces insights from your actual access patterns or requires fully manual role construction.
Support model and reliability references. For any platform at this scale, ask specifically for references from customers who've experienced production incidents — not just happy path references — and understand the escalation and resolution timeline.
Frequently Asked Questions
What is the best enterprise IAM platform for multi-forest Active Directory environments?
SailPoint IdentityIQ (IIQ) has the most documented experience with complex multi-forest AD environments and remains the most commonly deployed enterprise IGA platform for these scenarios. Saviynt and One Identity Identity Manager are the closest alternatives for on-premises complex AD requirements. Microsoft Entra ID supports multi-forest sync natively but is best suited for Microsoft-centric environments. Ping Identity is strongest for large-scale federation and CIAM scenarios rather than core IGA governance.
Is SailPoint or Saviynt better for enterprise IGA?
For most enterprise IGA use cases, the capabilities are comparable. The differentiators that matter: SailPoint has a larger connector catalog, a larger implementation partner ecosystem, and more documented complex AD experience. Saviynt has been cited as stronger for SAP environments and SOX SoD at provisioning time. Practitioner communities report more persistent reliability concerns about Saviynt. Saviynt's identity attribute limits can become a constraint for complex multi-position identity data models.
What enterprise IAM platforms support on-premises deployment?
SailPoint IdentityIQ, Saviynt (with on-premises deployment option), One Identity Identity Manager, and Ping Identity all support on-premises deployment. SailPoint's investment is shifting to ISC (cloud), making IIQ increasingly maintenance-focused. Organizations requiring long-term on-premises support should verify the vendor's on-premises roadmap commitment before selecting.
.svg)
